End-of-Life (EoL)
PAN-OS 8.0.12 Addressed Issues
PAN-OS® 8.0.12 addressed issues
Issue ID | Description |
---|---|
PAN-100870 | Fixed an issue where the GlobalProtect™
app incorrectly displays a warning ( Password Warning:Password expires in 0 days )
even though the password has not, yet, expired. |
PAN-99968 | Fixed an issue where the firewall incorrectly
dropped GTPv2-C Modify Bearer Response packets due to a sequence-number mismatch. |
PAN-99897 | Fixed an issue where a configuration change
commit was accepted when only one virtual wire (vwire) interface
was defined in a vwire pair. With this fix, a commit for a change
where only one vwire interface is defined for a vwire pair is rejected
and an error message is displayed. |
PAN-99380 | Fixed an issue where the dataplane stopped
responding when a tunnel interface on the firewall received fragmented
packets. |
PAN-99263 | Fixed an issue where NetFlow caused an invalid
memory-access issue that caused the pan_task process
to stop responding. |
PAN-99212 | Fixed an issue where the firewall incorrectly
dropped ARP packets and increased the flow_arp_throttle counter. |
PAN-99141 | Fixed an issue in an HA active/active virtual
wire configuration where a race condition caused the firewall to
intermittently drop First SYN packets when they traversed the HA3
link. |
PAN-99067 | Fixed an issue where a firewall frequently
flapped a BGP session when the firewall did not receive any response
from the BFD peer or when BFD was configured only on the firewall. |
PAN-99060 | Fixed an issue where searching through pcaps
from a Log Collector in a configuration with multiple Log Collectors
took longer than expected. |
PAN-98949 | Fixed an issue on Panorama™ where generating
a threat pcap from the web interface ( Monitor tab)
took longer than expected and caused the web interface and CLI to
become inaccessible. |
PAN-98479 | Fixed an issue where Panorama displayed
a File not found error when you attempted
to view or download Threat packet captures (pcaps) from the Monitor tab. |
PAN-98470 | Fixed an issue on a firewall with GTP stateful
inspection enabled where the firewall incorrectly identified GTP
echo packets as GTP-U application packets. |
PAN-98097 | Fixed an issue on PA-3000 Series, PA-3200
Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls
where Captive Portal was inaccessible for traffic on Secure HTTP
(https) websites when SSL decryption was enabled and users were
behind a proxy server. |
PAN-97905 | Fixed an issue where device-group operations
were discarded when a concurrent commit was triggered by a different
administrator. |
PAN-97208 | Fixed an issue where a firewall in a high
availability (HA) active/active virtual wire (vwire) configuration
with SSL decryption enabled passed traffic through the wrong firewall. |
PAN-96997 | Fixed an intermittent issue where detecting
an unreachable WF-500 node took longer than expected. |
PAN-96889 | Fixed an issue where administrators were
required to perform a commit force before pushing a partial or regular
commit operation to managed appliances when the management server ( mgmtsrvr )
or configuration (configd ) process encountered a virtual
memory leak and restarted. |
PAN-96737 | Fixed an issue with an incorrect policy
match because Google-docs-base was incorrectly identified as SSL. |
PAN-96572 | Fixed an issue where, after end users successfully
authenticated for access to a service or application, their web
browsers briefly displayed a page indicating authentication completed
and then they were redirected to an unknown URL that the user did
not specify. |
PAN-96565 | Fixed an issue where the DNS proxy process
failed due to a DNS response packet containing a TXT resource record
with length = 0. |
PAN-96431 | A security-related fix was made to prevent
HTTP Header Injection in the Captive Portal. |
PAN-96388 | Fixed an issue in a non-vsys configuration
where a firewall dropped the Client Hello packet from tunneled traffic
when inbound decryption was enabled because the firewall considered
that packet to be an inter-vsys inbound packet. |
PAN-96231 | Fixed an issue where a commit took significantly
longer than expected when cloning a rule compared to when configuring
a new rule when the configuration contained a large number of rules. |
PAN-96113 | Fixed an issue where the show routing protocol bgp rib-out CLI
command did not display advertised routes that the firewall sent
to the BGP peer. This issue was observed only in a deployment where
a firewall is connected to a Border Gateway Protocol (BGP) peer
that advertised a route for which the next hop is not in the same
subnetwork as the BGP peer interface. |
PAN-95999 | Fixed an issue where firewalls in an HA
active/active configuration with a default session setup and owner
configuration dropped packets in a GlobalProtect VPN tunnel that
used a floating IP address. |
PAN-95766 | Fixed an issue where Q-in-Q-tagged packets
passed through a firewall without inspection or session creation. |
PAN-95730 | Fixed an issue where a firewall dropped
SIP-RTP packets flowing through a GRE tunnel when a Tunnel Inspection
Policy was configured with Security Options (Tunnel Inspection zones). |
PAN-95712 | Fixed an issue where browsers failed to
load custom response pages on decrypted websites when those pages
were larger than 8,191 bytes. With this fix, the firewall supports
decryption of custom response pages up to 17,999 bytes. |
PAN-95698 | Fixed an issue where the firewall revealed
part of a password in cleartext on the command-line interface (CLI)
and management server ( mgmtsrvr ) log when an administrator
attempted to set a password that exceeded the maximum number of
characters (31) using the CLI. With this fix, the firewall reports
an error when an administrator attempts to set a password that contains
more than 31 characters without revealing any part of the actual
password. |
PAN-95439 | Fixed an issue where using the test nat-policy-match command
from the XML API does not result in any matches when the matching
policy is a destination NAT policy. |
PAN-95339 | Fixed an issue where a firewall sent packets
out of order when the sending rate was too high. |
PAN-95090 | Fixed an issue where imported custom applications
did not display in Security Policies that were created through the
web interface. |
PAN-95061 | Fixed an issue on PA-220 firewalls where
either a commit or an EDLRefresh job failed with the following error
message: failed to handle CONFIG_UPDATE_START .
This issue occurred after an increase in the number of type URL
entries in an external dynamic list. |
PAN-94917 | Fixed an issue on Panorama Log Collectors
where the show system masterkey-properties CLI command
did not display the master key lifetime and reminder settings. |
PAN-94582 | Fixed an issue where the firewall did not
correctly re-learn a User-ID™ mapping after that mapping was temporarily
lost and recovered through successful WMI probing. |
PAN-94571 | Fixed an issue on PA-800 Series, PA-3200
Series, and PA-5200 Series firewalls where tunnel-bound traffic
was incorrectly routed through an ECMP route instead of a PBF route
as expected. |
PAN-94497 | Fixed an issue where the default static
route was not present in the routing table after you removed the
DHCP-provided default gateway when you configured a default static
route and DHCP provided the same default route. |
PAN-94385 | Fixed an issue on Log Collectors where the show log-collector serial-number CLI command
displayed log ages that exceeded log expiration periods.<LC_serial_number> |
PAN-94288 | Fixed an issue where the default view and
maximized view of the Application Usage report ( ACC Network Activity Time to Last
12 Hrs or a longer period. |
PAN-94221 | Fixed an issue when QoS was configured where
the dataplane restarted due to a packet process failure. |
PAN-94163 | Fixed an issue on firewalls deployed in
virtual wire mode where SSL decryption failed due to a memory pool
allocation failure. |
PAN-94058 | ( GlobalProtect configurations on PAN-OS
8.0.8 and later releases only ) Fixed an issue where a configured
Layer 3 interface erroneously opened ports 28869/tcp and 28870/tcp
on the IP address assigned to that Layer 3 interface. |
PAN-93973 | Fixed an issue on an M-100 appliance where
logging stopped when a process ( vldmgr ) stopped responding. |
PAN-93937 | Fixed an issue where the management server ( mgmtsrvr )
process on the firewall restarted when you pushed configurations
from the Panorama management server. |
PAN-93847 | Fixed an issue where a null-pointer exception
caused the device server (“devsrv”) process on the management plane
to restart. |
PAN-93331 | Fixed an issue where the firewall applied
the wrong checksum when a re-transmitted packet in a NAT session
had different TCP flags, which caused the recipient to drop those
packets. |
PAN-93329 | Fixed an issue where the non-session-owner
firewall in a high availability (HA) active/active configuration
with asymmetric traffic flow dropped TCP traffic when TCP reassembly
failed. |
PAN-93127 | Fixed an intermittent issue where NAT traffic
was dropped when NAT parameters were introduced or changed in the
path between the LSVPN GlobalProtect gateway and the GlobalProtect
satellite. To leverage this fix in your network, you must also enable
Tunnel Monitoring on the GlobalProtect Gateway (“Network > GlobalProtect
> Gateways > <”gp-gateway”> > Satellite > Tunnel Settings”). |
PAN-92893 | Fixed an issue that occurred during the
reboot process and caused some firewalls to go in to maintenance
mode. |
PAN-92788 | Fixed an issue where the PAN-OS XML API
returned the same job IDs for all report jobs on the firewall. With
this fix, the PAN-OS XML API returns the correct job ID for each
report job. |
PAN-92569 | Fixed an issue where the firewall displayed
a continue-and-override response page when users tried to access
a URL that the firewall incorrectly categorized as unknown because
it learned the URL field as an IP address. |
PAN-92445 | Fixed an issue where the Panorama management
server didn't display log data in Monitor Logs ACC tab, or
reports when Panorama was in a different timezone than the Dedicated Log
Collectors because Panorama applied the wrong time filter. |
PAN-92033 | Fixed an issue during the software download
process that prevented some firewalls and appliances from properly
receiving these images. |
PAN-91926 | Fixed an issue where GlobalProtect users
could not access some websites decrypted by the firewall due to
an issue with premature deletion of proxy sessions. |
PAN-91361 | Fixed an issue where client connections
initiated with HTTP/2 failed during SSL Inbound Inspection decryption
because the firewall removed the Application-Layer Protocol Negotiation
(ALPN) extension within the server hello packet instead of forwarding
the extension to the client. |
PAN-91238 | Fixed an issue where an Aggregate Ethernet
(AE) interface with Link Aggregation Control Protocol (LACP) enabled
on the firewall went down after a cisco-nexus primary virtual port
channel (vPC) switch LACP peer rebooted and came back up. |
PAN-90917 | Fixed an issue where IP addresses for predefined
External Dynamic Lists were not displayed on the web interface. |
PAN-90824 | An enhancement was made to improve compatibility
for the HTTP log forwarding feature so that you can specify the
TLS version that the HTTP log forwarding feature uses to connect
to the HTTP server. To specify the version, use the debug system https-settings tls-version CLI
command. (To view the currently specified version, use the debug system https-settings command.) |
PAN-90448 | Fixed an issue where PA-7000 Series and
PA-5200 Series firewalls didn't properly Rematch all
sessions on config policy change for offloaded sessions (Device Setup Session |
PAN-90048 | Fixed an issue where automatic commits failed
after you configured Security policy rules that referenced region
objects for the source or destination and then upgraded the PAN-OS
software. |
PAN-88829 | Fixed an issue where the firewall was unable
to verify a signature and marked the response as unavailable when
the OCSP responder signed the response and sent it to the OCSP client
but did not include the certificate. |
PAN-87855 | Fixed an issue where some ICMP Type 4 traffic
was not blocked as expected after you created a deny Security policy
rule with custom App-ID for ICMP Type 4 traffic. |
PAN-87079 | ( PA-3060, PA-3050, PA-5000 Series, PA-5200
Series, and PA-7000 Series firewalls only ) Fixed an issue where
Threat logs displayed an Other IP Flood message instead
of identifying the threat name of the correct protocol (such as TCPFlood )
when traffic reached the configured SYN flood max-rate threshold (Objects Security Profiles DoS Protection <DoS_Protection_profile> Flood Protection SYN Flood |
PAN-86672 | Fixed a rare issue where a commit caused
the disk to become full due to an incorrect disk quota-size value,
which caused the firewall to behave unpredictably (for example,
the web interface and CLI became unresponsive). |
PAN-84836 | A security-related fix was made to address
a Cross-Site Scripting (XSS) vulnerability in the PAN-OS response
to a GlobalProtect gateway (CVE-2018-10139). |
PAN-84647 | Fixed an issue with scheduled log exports
that prevented firewalls running in FIPS-CC mode from successfully
exporting the logs using Secure Copy (SCP). |
PAN-83946 | Fixed an issue where the default QoS profile
limited the available bandwidth to 10Gbps when you specifically
applied the profile to the ae2 interface; this issue occurred regardless
of the bandwidth setting you configured specifically for that profile. |
PAN-83900 | Fixed an issue where the Panorama management
server did not run ACC reports or custom
reports because the reportd process stopped responding
when an administrator tried to access a device group to which that
administrator did not have access. |
PAN-83628 | Fixed an issue where an error was displayed
when filtering the threat log because the buffer was cleared before
prepending the query strings to it. |
PAN-83469 | Fixed an issue where firewalls were unable
to connect to a log collector after you modified the Log Forwarding
Preferences ( Panorama Collector
Groups <group> Device Log Forwarding |
PAN-83030 | Fixed an issue where an SSL session was
reset after displaying the SSL decryption opt-out page regardless
whether the user chose Yes or No . |
PAN-81320 | Fixed an issue where administrators could
perform a commit lock through the API but could not remove the lock
using the same API account credentials on the web interface. |
PAN-80794 | A protocol-related fix was made to address
a bug in the OSPF protocol. |
PAN-80665 | Fixed an issue in a bi-directional User-ID
redistribution configuration where the User-ID ( useridd )
process stopped responding when same IP address was continually
associated with different usernames, which caused the IP address-to-username mapping
to continually sync between firewalls. |
PAN-76441 | Fixed an issue where expiration
of the Captive Portal browser-session cookie was incorrectly set
on the browser to 24 hours by default. With this fix, the Captive
Portal browser-session cookie expires when the browser session is
terminated. |
PAN-42036 | Fixed a rare intermittent issue on PA-800
Series, PA-2000 Series, PA-3000 Series, PA-5000 Series, PA-5200
Series, and PA-7000 Series firewalls where the firewall unexpectedly
rebooted due to memory page allocation failure, which generated
a non-maskable interrupt (NMI) watchdog error on the serial console. |
Recommended For You
Recommended Videos
Recommended videos not found.